|resources:||Home Web Forum Mailing List Installation Changelog Source Code Members Bugs Screenshots|
- (Jul/22/08)An Enigform Wordpress Authentication Plugin is coming!
- Enigform Article in Czech language available
- (Jun/12/07) Enigform on Wikipedia! (and *I DIDNT* create the article, whoa!)
- mod_auth_openpgp now in Mandriva Linux!
- mod_auth_openpgp added to Source Mage GNU/Linux!
- We have a forum!
- (May/1/07) OWASP granted USD 2,500 to Enigform!!!!!
- Free Software Mag. has Interviewed me
- Enigform Apache Module 0.2.0 Available!
- (Apr/14/07) Enigform 0.8.0 Available!
- Freshmeat Article about Enigform
Welcome to Enigform. Welcome to a new kind of HTTP Authentication!
Enigform is a Mozilla Firefox extension that provides you the ability to digitally sign HTTP requests, even those generated via AJAX calls. It implements the mechanism described in the white paper entitled OpenPGP Signing for HTTP by Arturo Buanzo Busleiman.
You can obtain support via our exclusive #enigform channel at the Buanzo IRC Network. Just /server to irc.buanzo.org!
This extension is focused on adding an extra layer of security to the HTTP protocol. There is also a great extension called Enigmail that enhances Mozilla Thunderbird with PGP capabilities. You can check out Enigmail at its Mozdev Page.
There is also another GnuPG extension for Firefox, which brings an interface to encrypt, decrypt, sign or verify the signature of a text in any web page using GnuPG. It is called FireGPG and it is quite cool!
For years different methods for User Authentication and Session Management have been implemented:
- HTTP Authentication
- GET/POST values
- SSL Certificates
- A combination of all the above.
Regarding SMTP, e-mail has been digitally signed for a long time now, and it is a standard. Extending its usage to the HTTP protocol sounded like a natural idea, specially at 3am when I woke up with a OpenPGP-signed HTTP POST request in my head.
By having the GET query string and the POST payload ("variable=test") signed using an ASCII armored, Clearsign, OpenPGP based procedure, the browsing user can provide Identity and Data Authentication to that payload, thus adding all OpenPGP benefits to the HTTP protocol.
This allows web developers to add a new layer of security to their applications, and if correctly implemented will render man in the middle attacks useless. The direct benefit of implementing this extension is that web developers will be able to verify the payload's signature, potentially avoiding obscure session management, and/or complicated login procedures.
For example, Highly Secure Home Banking sites could be created by using Enigform + some simple server side code, or by using the Apache module mod_auth_openpgp, that can verify the requests automagically and which, in combination with mod_access, can allow/reject requests.
Enigform Developers TEST site
The NEW Enigform Test site is a simple PHP script that allows users to test Enigform functionality for GET and POST, while showing lots of potentially useful debugging information. Although it does not have an "import key" feature, it is a great resource for developers.
Enigform Demo Site - Smutty Based
Smutty is the first PHP MVC Framework that supports Enigform. It's also a WONDERFUL framework, that I really like. Rod, the author, has created a demo of an Enigform-based login procedure. So, if you want to try it out: configure your GnuPG (that is, create a key pair), Install Enigform (make sure it is version 0.7.6!), then visit http://smutty.pu-gh.com/demo/enigform.
Example Server-Side PHP Code
Currently, only the Smutty PHP MVC Framework supports Enigform. If you plan on deploying a site that supports this new kind of authentication and integrity system, you can also check out the Smutty API for the Smutty_GPG Class and derivatives.
Additionally, you can download the Enigform Test Site PHP script directly from this location